FDA finds St. Jude Medical cardiac devices can be hacked

Register now

The Food and Drug Administration has issued a warning that it has confirmed cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and its Merlin@home transmitter.

The company has acknowledged the vulnerability and this week was making available a software patch for the medical devices.

The series of announcements this week confirms allegations that the cardiac device system marketed by St. Jude Medical could be hacked by outsiders, leading to injury or death of patients implanted with the heartbeat-regulating devices.

St. Jude Medical was recently acquired by Abbott Laboratories; the new parent company says it has cooperated in efforts with the FDA and the Department of Health and Human Services, to quickly update and secure the implantable pacemakers.

The FDA announcement on St. Jude Medical devices follows a December publication of guidance for medical device manufacturers on proposed steps they should take to harden their devices against hacking.

Also See: FDA issues industry guidance to secure networked medical devices

The FDA warning on St. Jude Medical devices is for patients using radio frequency enabled technology, including pacemakers, defibrillators and resynchronization devices, which provide pacing for slow heart rhythms and electrical shock or pacing to stop dangerously fast heart rhythms. These devices use Merlin@home, a transmitter that uses RF signals to wirelessly connect to the patient’s device and read the data, then sending it to physicians who can assess the device’s function.

The agency said hackers could exploit the transmitter to “remotely access a patient’s RF-enabled cardiac device,” and the transmitter could be used to rapidly deplete the battery or have the implanted device administer inappropriate pacing or shocks to the heart. The FDA emphasized that there have been “no reports of patient harm related to these cybersecurity vulnerabilities.”

Also See: 6 top security trends for 2017

The FDA’s review of the patch suggests that it will deter interference with the transmitter and device, and it finds that the “health benefits to patients from continued use of the device outweigh the cybersecurity risks.”

“The FDA will continue to assess new information concerning the cybersecurity of St. Jude Medical's implantable cardiac devices and the Merlin@home Transmitter, and will keep the public informed if the FDA's recommendations change,” the agency’s alert noted. “Any medical device connected to a communications network (e.g. Wi-Fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely healthcare delivery.”

St. Jude Medical concurred with the FDA’s findings, issuing a statement indicating that it would immediately begin deploying the patch to increase the security of its cardiac device system.

“In recognition of the changing cyber security landscape and the increased public attention on highly unlikely medical device cyber risks, we are informing the public about these ongoing actions so that patients can continue to be confident about the benefits of remote monitoring,” the company noted.

The company’s announcement demonstrates that, “St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate,” said cyber security expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board.

“We’ve partnered with agencies such as the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.

For reprint and licensing requests for this article, click here.